A linear type system for pi calculus joint work with Vasco T. - - PowerPoint PPT Presentation

A linear type system for pi calculus

joint work with Vasco T. Vasconcelos Marco Giunti

INRIA & LIX, ´ Ecole Polytechnique Palaiseau Behavorial Types, April 19 2010, Lisboa

Session Types

• Describe a protocol between a service provider and a client
• Introduced for the pi calculus and now embedded also in other

paradigms based on message passing

• functional programming
• object oriented programming
• Idea: allowing typing of channels by using structured sequences
• f types as output,output,input,..

!Integer . ! Boolean . ? Boolean . end

2

Session types in the pi calculus

• In [HVK Esop’98] a typing discipline for structured programming is

introduced for a dialect of pi calculus

• Session channels are used to abstract binary sessions and are

distinguished from standard pi calculus channels or names

• Session initiation arises on names
• Fidelity of sessions is guaranteed by a typing system enforcing a

session channel to be used at most by two threads with opposite capabilities (e.g. input/output) 3

Discussion

• In the original system and recent works session delegation is

restricted to bound output

xk.P | x(k).Q → P | Q

• Communication mechanism of the pi calculus breaks subject

reduction

• Decoration of channel end-points is the de-facto workaround [GH

Acta’05]

x+yp.P | x−(z).Q → P | Q[yp/z]

• Distinction between names and session channels of [HVK98]

leads to duplicate typing rules 4

What we have done

• Remove distinction among session channels and names
• Do not use polarities or double binders
• That is: we use standard pi calculus
• Annotate session types with qualifiers
• lin for linear use
• un for unrestricted use
• Introduce a type construct that describes the two ends of a same

channel 5

Types

• Types T
• S for end point type describing one channel end
• (S, S) for channel type describing both channel ends
• End point types S are
• lin p linear channel used exactly once
• un p channel is used zero or more times
• µa.S and a for recursive end point types
• Session types p are
• ?T.S: waits for value of type T then continues as S
• !T.S: sends a value of type T then continues as S
• end: no further interactions are possible

6

Example: event scheduling

• 1. Create poll
• provide the title for the meeting
• provide a provisional date
• 2. Invite participants
• Pi calculus: send request to create poll / receive poll channel

polly.y(p).(pWorkshop.p19April.(z1p | · · · | znp))

• Challenge: concurrent distribution of the poll channel

7

Session type for the poll

• Poll channel used first in linear mode then in unrestricted mode
• Steps:
• 1. Send a title for the poll (linear mode)
• 2. Send a date for the poll (linear mode)
• 3. Distribute the poll (unrestricted mode)

y(p).(pWorkshop.p19April.(z1p | · · · | znp))

• End point session type for channel p is

lin !string.lin !date. ∗S

where

∗S = un !date. ∗S

• Recursive unrestricted type S allows distribution of poll channel

8

Type for the scheduling service

• Service: instantiation generates poll

Service =!poll(w).(νp : (S1, S2)) (wp.p(t).p(d).!p(d))

S1 = lin ?string.lin ?date. ∗un ?date S2 = lin !string.lin !date. ∗un !date

• Poll channel is split:
• 1. One channel end sent to the invoker
• 2. The other channel end used in the continuation

9

Context splitting

• Type system Γ ⊢ P based on context splitting Γ1 · Γ2
• Unrestricted types are copied into both contexts
• Linear types are placed in one of the two resulting contexts

Γ1, p : S2 ⊢ p : S2 Γ2, w : end, p : S1 ⊢ p(t).p(d).!p(d) Γ = Γ1 · Γ2 Γ, w : lin !S2.end, p : (S1, S2) ⊢ wp.p(t).p(d).!p(d)

10

Subject reduction

• Γ balanced, Γ ⊢ P , P → P ′ imply Γ′ ⊢ P ′ with Γ′ balanced
• Interesting case: (q ?T.S1, q ?T.S2) is balanced if both T and

(S1, S2) are balanced

• Purpose of balancing is to preserve soundness of exchange

Γ = x : (lin ?(∗!bool).un end, lin !(un end).un end), y : un end Γ ⊢ x(z).ztrue | xy x(z).ztrue | xy → ytrue x : (un end, un end), y : un end ⊢ ytrue

11

SR at work

• Receiving of a session already known

xv | x(y).vtrue.y(z) → vtrue.v(z)

• Typing the redex

v : (un end, lin ?bool.un end) ⊢ v(z) v : (lin !bool.un end, lin ?bool.un end) ⊢ vtrue.v(z)

12

Algorithm

• Type system ⊢ cannot be implemented directly
• Main difficulty is split operation
• We avoid split by
• 1. passing entire context for the judgement
• 2. mark linear types consumed in the derivation as unusable

13

Type checking

• Algorithm relies on several patterns of checking function

fun check(g : context, p : process) : context

• Context in input is balanced
• 1. patterns are non ambiguous
• 2. no backtracking is needed
• Context in output has void marks in place of consumed types
• Top-level call accepts process if check returns unrestricted context

fun typeCheck(g : context, p : process) : bool

14

Checking the service

• Poll delegation: type for delegation channel T = lin !S2.un end

check(Γ, w : T, p : (S1, S2) , wp.P) = let val d = check(Γ, w : un end, p : (S1, ◦), P) in if d = d′, w : M and M = ◦, un p then d′, w : ◦

• Call for the continuation by setting delegated end point for the poll

to void (noted ◦)

• Linear use of channel must be consumed within the continuation

(condition M = ◦, un p)

• Returned context obtained by setting to void the unrestricted type

for the channel 15

Checking the continuation

• Linear receiving of the date: S1 = lin ?string.lin ?date. ∗un ?date

check(Γ, p : (S1, N) , p(t).P) = let val d = check(Γ, p : lin ?date. ∗un ?date, t : string, P) in if d = d′, p : M and M = ◦, un p then d′, p : (◦, N)

• Checking of the continuation invoked by passing one channel end
• Linear use of channel must be consumed within the continuation

(condition M = un p, ◦)

• Returned context re-builds channel type by setting used channel

end to void 16

Checking the scheduling protocol

• Protocol described by concurrent execution of

Service =!poll(w).(νp) (wp.p(t).p(d).!p(d)) Invoker = polly.y(p).(pWorkshop.p19April.(z1p | .. | znp))

• Type checking

check(Γ , Service | Invoker) = check( Invoker , check(Γ , Service) )

• Preservation of structural congruence

check(Γ , Invoker | Service) = check(Γ , Service | Invoker)

17

Algoritmic soundness

• The algorithm is sound
• typeCheck(Γ, P) implies Γ ⊢ P
• Completeness missing since ⊢ permits to infer
• Γ, x : (lin ?T.S1, lin !T.S2) ⊢ xv.C[x(y).P]
• Γ, x : (lin ?T.S1, lin !T.S2) ⊢ x(y).C[xv.Q]
• Γ, x : (lin ?T.S1, lin !T.S2) ⊢ xx.P
• Claim: processes in these judgements are deadlocked

18

Towards algoritmic completeness

• Proof transformation: Γ1 ⊢ P1 transformed in Γ2 ⊢ P2
• Construction: Γ, x : (lin ?T.S1, lin !T.S2) ⊢ xv.Q substituted in

the derivation tree for Γ1 ⊢ P1 with ∅ ⊢ 0

• Typed equivalence: Γ1 ⊲ P1 and Γ2 ⊲ P2 have same behavior
• Γ⊲ P is typed configuration such that ∆ ⊢ P and Γ·∆ defined
• Γ is less informative typed observer allowing moves of P
• Semantic completeness: typeCheck (Γ2, P2)

19

Conclusions

• We introduced type system ⊢ based on construct that describes

the two ends of the same channel

• An end point is described by session type qualified as linear or

unrestricted

• Linear types evolve to unrestricted types
• We assessed expressiveness by defining type-preserving

encoding of

• 1. linear lambda calculus [Walker&05]
• 2. linear pi calculus [KPT TOPLAS’99]
• 3. pi calculus with polarities [GH Acta’05]

20

Ongoing and future work

• We implemented rules ⊢ in type checking algorithm
• (Semantic) completeness in progress
• Still there are interesting processes that are not typable by ⊢

!x(y).(νa)(ya.a(title).a(date).(!a(date) | a22March)

• Both capabilities needed in continuation for receive and send date
• Sub typing `

a la Pierce&Sangiorgi would fix this 21